By: Dan O’Dowd CEO, Green Hills Software
THE QUESTION: With embedded devices increasingly connected not only to local networks, but also via gateways to the Internet and ultimately to large servers, the issue of security spreads from the servers to even the smaller and resource-limited devices. Where do you see the major vulnerabilities for such diverse networks and what do you see as the effective strategies for securing them?
The world’s commerce and critical infrastructure is increasingly dependent upon the security of embedded devices, their software content and their communications. Yet today’s security posture for most embedded systems is hopelessly inadequate. Devices are saddled with vulnerabilities in both operating systems and applications. We employ filters, scanners and Patch Tuesdays, but there are always new vulnerabilities that leave our critical resources exposed.
Security-critical systems software (e.g. operating systems, hypervisors and communications stacks) and applications must provide users with a high confidence that the system will protect high-value information and services against sophisticated attackers while remaining cost-effective and easy to use. The techniques for achieving this are well known amongst an all-too-small population of the embedded developer community. For example, no commercial jetliner fatalities have occurred as a direct result of an avionics software flaw. High-assurance software developers follow a design and development process that is foreign to what most call “best practices.”
In fact, “best practices” has become a euphemism for “whatever you can get away with.” For example, general-purpose operating systems such as Windows, Solaris and VMware are rated EAL 4+ under the international Common Criteria security standard. The specifications for these ratings assert protection only against “inadvertent or casual attempts to breach the system security.” That is not secure by anyone’s definition.
The most effective strategy for securing embedded systems and their connected networks and servers is to apply high-assurance methodology efficiently. We call this PHASE—principles of high-assurance software engineering. PHASE consists of: minimal implementation, componentization, least privilege, secure development process and independent expert validation. It is much harder to create simple elegant solutions to problems than complex, convoluted ones. Systems must be put together from small components, each of which is easily maintained by a single engineer. Components must be provided access only to those resources that are absolutely required. Security-critical components must meet the most rigorous development process standards, such as those found in DO-178B Level A.
One example of the result of PHASE is Integrity, Green Hills Software’s operating system technology that is the world’s first software to achieve a high-assurance Common Criteria security certification. In contrast to the EAL 4+ standard, our certification was at EAL 6+/High Robustness. This is the assurance level required to protect classified information and other high-value resources at risk of attack from hostile and well-funded attackers. This is secure by anyone’s definition. Among other things, EAL 6+ requires NSA penetration testing and formal methods to mathematically prove system security.
We need to work together as a community to promulgate these higher standards and enable developers to raise the assurance bar in their own applications. Green Hills Software stands ready to help with software component building blocks, tools, training and consulting.
The ramifications of failing to improve our embedded network posture are perhaps obvious, yet continue to be underestimated or ignored by stakeholders across industries. The recent example reported in the Wall Street Journal on December 17 stated, “Insurgents Hack U.S. Drones.” Unmanned aerial vehicles (UAVs), one of the more promising embedded networking applications in the aerospace world, have been hacked and their video feeds intercepted by insurgents in Iraq and Afghanistan. The developers and users of these UAVs were well aware of these vulnerabilities but underestimated the enemy’s ability to exploit them. This appalling lack of security is easily prevented by proper application of and dedication to the PHASE principles.
As we look forward, we will continue to see dramatic increases in the big three C’s—Connectivity, Complexity and Cunning. Devices are increasingly connected to open networks; these devices are shipping with more and more software, leading to more vulnerabilities; and attackers are ever more sophisticated and determined. Following today’s “best practices” is simply not going to get the job done. A paradigm shift in device development is in the works, and the developers and organizations who embrace it will realize improved product reliability, increased market share, longer time in market, better product pricing power, reduced maintenance costs and, of course, bigger profits. Good security is good business.
Green Hills Software.
Santa Barbara, CA.
© 2009 RTC Group, Inc., 905 Calle Amanecer, Suite 250, San Clemente, CA 92673